b'\x0c                                             UNCLASSIFIED\n\n                                    United States Department of State\n\n                                  and the Broadcasting Board of Governors\n\n                                       Of\xef\xac\x81ce of Inspector General\n\nOf\xef\xac\x81 ce of Inspector General\n\n\n                                            Of\xef\xac\x81ce of Audit\n\n\n\n\n                                  Report on the External Quality \n\n                               Control Review of the Federal Deposit \n\n                                Insurance Corporation\xe2\x80\x99s Inspector\n\n                                   General Audit Organization\n\n\n\n\n\n                                          UNCLASSIFIED\n\n\x0c                                      UNCLASSIFIED\n\n\n\n\n                                   INTRODUCTION\n                                   INTRODUCTION\n\n\n\n\n      The Department of State, Of\xef\xac\x81ce of Inspector General (DOS OIG), Of\xef\xac\x81ce of\n Audits reviewed the system of quality control for the audit function of the Federal\n Deposit Insurance Corporation, Of\xef\xac\x81ce of Inspector General (FDIC OIG) in effect\n for the year ended March 31, 2007. A system of quality control encompasses the or\n ganizational structure and the policies adopted and procedures established to provide\n an OIG with reasonable assurance of conforming with generally accepted govern\n ment auditing standards (GAGAS). The elements of quality control are described\n in Government Auditing Standards 2003 Revision, promulgated by the Comptroller\n General of the United States. The design of the system, and compliance with it in\n all material respects, are the responsibility of the FDIC OIG. DOS OIG\xe2\x80\x99s objec\n tive was to determine whether the internal quality control system was adequate as\n designed and complied with to provide reasonable assurance that applicable auditing\n standards, policies, and procedures were met. DOS OIG\xe2\x80\x99s responsibility was to ex\n press an opinion on the design of and the FDIC OIG\xe2\x80\x99s compliance with the system\n based on this review.\n\n      The review was conducted in accordance with the guidelines established by the\n President\xe2\x80\x99s Council on Integrity and Ef\xef\xac\x81ciency and the Executive Council on Integ\n rity and Ef\xef\xac\x81ciency. In performing the review, DOS OIG obtained an understanding\n of the system of quality control for the FDIC OIG. In addition, DOS OIG tested\n compliance with the FDIC OIG\xe2\x80\x99s quality control policies and procedures to the\n extent considered appropriate. These tests included the application of the FDIC\n OIG\xe2\x80\x99s policies and procedures on selected audits. Because this review was based on\n selective tests, it would not necessarily disclose all weaknesses in the system of qual\n ity control or all instances of lack of compliance with it. Nevertheless, DOS OIG\n believes that the procedures it performed provide a reasonable basis for its opinion.\n\n      Because there are inherent limitations in the effectiveness of any system of qual\n ity control, departures from the system may occur and not be detected. Also, projec\n tion of any evaluation of a system of quality control to future periods is subject to\n risk that the system of quality control may become inadequate because of changes in\n conditions or because the degree of compliance with the policies or procedures may\n deteriorate.\n\n     In DOS OIG\xe2\x80\x99s opinion, the system of quality control for the audit function of\n the FDIC OIG in effect for the year ended March 31, 2007, was designed to meet\n\nReport on the External Quality Control Review of the FDIC\xe2\x80\x99s IG Audit Organization - November 2007   1\n\n\n                                      UNCLASSIFIED \n\x0c                                   UNCLASSIFIED \n\n\n\n     the requirements of the quality control standards established by the Comptroller\n     General for a federal government audit organization. In addition, the system of\n     quality control was complied with during the period reviewed to provide FDIC OIG\n     with reasonable assurance of conforming with applicable auditing standards, policies,\n     and procedures.\n\n         From its review, DOS OIG has the following \xef\xac\x81ndings and recommendations\n     that should improve the FDIC OIG\xe2\x80\x99s compliance with GAGAS and its internal audit\n     policies and procedures. These \xef\xac\x81ndings are not of suf\xef\xac\x81cient signi\xef\xac\x81cance to affect\n     the DOS OIG\xe2\x80\x99s overall unmodi\xef\xac\x81ed opinion. However, FDIC OIG needs to con\n     tinue its diligence to maintain an effective quality control system. Implementing the\n     recommendations would improve the quality control system and help to maintain an\n     unmodi\xef\xac\x81ed opinion. These matters are discussed in the \xef\xac\x81ndings and recommenda\n     tions that follow.\n\n        The background, scope, and methodology for this review can be found in Ap\n     pendix A; general comments regarding FDIC OIG are in Appendix B; and FDIC\n     OIG\xe2\x80\x99s comments are in Appendix C.\n\n\n\n\n2   Report on the External Quality Control Review of the FDIC\xe2\x80\x99s IG Audit Organization - November 2007\n\n\n                                   UNCLASSIFIED \n\x0c                                      UNCLASSIFIED\n\n\n\n\n                  FINDINGS AND RECOMMENDATIONS\n\n\n\n\n POLICIES AND PROCEDURES\n\n     DOS OIG reviewed the FDIC OIG\xe2\x80\x99s Of\xef\xac\x81ce of Audits (OA) policies and pro\n cedures and found that they were generally adequate for ensuring compliance with\n GAGAS. This work entailed a comprehensive review of the policies and procedures\n in such areas as professional judgment, competence, audit planning, supervision,\n evidence and audit documentation, the \xef\xac\x81nal report, and the quality control process.\n DOS OIG\xe2\x80\x99s review disclosed that the policies and procedures pertaining to personal\n and external impairments to independence should be strengthened.\n\n     GAGAS 3.49 and 3.50 require audit organizations to have policies and proce\n dures that establish internal guidance for audits and attestation engagements. OA\xe2\x80\x99s\n Of\xef\xac\x81ce of the Assistant Inspector General for Audits (AIGA) is responsible for\n developing policies and procedures to ensure that audit engagements comply with\n GAGAS. The policies and procedures pertaining to the general standard of inde\n pendence include the FDIC OIG\xe2\x80\x99s Policies and Procedures Manual and other ad\n visories and administrative notices in effect during the scope of this review. These\n policies and procedures, however, need strengthening with respect to personal and\n external impairments to independence.\n\n Personal Impairments to Independence\n\n      The Policies and Procedures Manual requires the immediate noti\xef\xac\x81cation of the\n supervisor in the event of a personal impairment to independence, but this guidance\n is incomplete. The manual lacks guidance on the supervisor\xe2\x80\x99s speci\xef\xac\x81c duties to re\n port and resolve personal impairments as well as the repercussions to staff for failure\n to report such impairments.\n\n     The personal impairment of staff members, per GAGAS 3.07, results from rela\n tionships and beliefs that might cause auditors to limit the extent of the inquiry, limit\n disclosure, or weaken or slant audit \xef\xac\x81ndings in any way. Although the Policies and\n Procedures Manual requires all staff members to immediately notify their supervi\n sor if they have any personal impairments to independence, it does not specify how\n supervisors are to report and resolve impairments. GAGAS 3.07 and 3.09 require\n\n\nReport on the External Quality Control Review of the FDIC\xe2\x80\x99s IG Audit Organization - November 2007   3\n\n\n                                      UNCLASSIFIED \n\x0c                                   UNCLASSIFIED \n\n\n\n     audit organizations to maintain independence and resolve personal impairments\n     promptly; however, the lack of speci\xef\xac\x81c OA guidance hampers such efforts. Al\n     though no personal impairments were identi\xef\xac\x81ed during the review, improved guid\n     ance for reporting and resolving personal impairments if they occur is needed to\n     preclude any possible adverse impact on independence.\n\n         Additionally, the Policies and Procedures Manual states that \xe2\x80\x9cfailure to properly\n     disclose impairments to independence during an assignment can lead to disciplin\n     ary actions.\xe2\x80\x9d The OA also has mechanisms to ensure that its staff is aware of these\n     responsibilities. The manual, however, does not elaborate on this disciplinary mecha\n     nism and the actions that could be taken against staff members who fail to report\n     a personal impairment. Although this review did not identify any personal impair\n     ments, guidance is needed to strengthen OA policies and procedures.\n\n     External Impairments to Independence\n\n        The Policies and Procedures Manual guidance on external impairments to inde\n     pendence is incomplete. OA only recently addressed the topic, and the manual still\n     does not delineate how staff should report and resolve an external impairment.\n\n         External impairments, according to GAGAS 3.19, occur when auditors are\n     deterred from acting objectively and exercising professional skepticism by pressures,\n     actual or perceived, from management and employees of the audited entity or over\n     sight organizations. Additionally, GAGAS 3.20 states that an audit organization\xe2\x80\x99s\n     internal quality control system \xe2\x80\x9cshould include internal policies and procedures for\n     reporting and resolving external impairments.\xe2\x80\x9d\n\n          However, the Policies and Procedures Manual guidance on external impairments\n     is incomplete. In fact, external impairments were not addressed at all until the 2006\n     revision of the guidance for policies 300.1 4a (1) (d) and 300.1 5 (b) and (c). Policy\n     300.1 4a (1) (d) addresses identifying external impairments, but only for reporting\n     and resolving such impairments that are a result of denial of access to information.\n     Policies 300.1 5 (b) and (c) state that directors and associate directors are to report\n     any external impairments \xe2\x80\x93 not only those that are a result of denial of access to\n     information \xe2\x80\x93 to the AIGA, and the AIGA is to report external impairments to the\n     Inspector General and the deputy inspector general. The policies do not include\n     guidance to the staff for reporting or resolving external impairments. No exter\n     nal impairments were identi\xef\xac\x81ed during the review; however, additional guidance is\n     needed to ensure that staff is aware of how to report and resolve external impair\n     ments that could adversely affect an auditor\xe2\x80\x99s independence.\n\n\n\n4   Report on the External Quality Control Review of the FDIC\xe2\x80\x99s IG Audit Organization - November 2007\n\n\n                                   UNCLASSIFIED \n\x0c                                      UNCLASSIFIED\n\n\n\n\n    Recommendation 1: The FDIC Inspector General should require the as\n    sistant inspector general for audits to ensure that the Policies and Procedures\n    Manual contains adequate guidance on (a) reporting and resolving personal im\n    pairments, (b) identifying the disciplinary mechanism and actions that could be\n    taken if personal impairments are not reported, and (c) reporting and resolving\n    external impairments.\n\n\n     In its comments to the draft report, FDIC OIG of\xef\xac\x81cials said that they will add\n the recommended guidance to the Policies and Procedures Manual to re\xef\xac\x82ect the Gov\n ernment Auditing Standards July 2007 revision. FDIC OIG anticipates the corrective\n action will be completed by February 29, 2008.\n\n\n\n REQUIRED WORKING PAPER DOCUMENTATION\n     DOS OIG performed a review of \xef\xac\x81ve randomly selected audits conducted by\n FDIC OIG and found that working paper documentation was generally adequate\n and in conformance with GAGAS and the Policies and Procedures Manual. This\n extensive and detailed review covered various stages of the audit process, including\n planning and implementation.\n\n      For example, speci\xef\xac\x81c areas of planning that DOS OIG reviewed included\n whether the audit plan de\xef\xac\x81ned the objectives of the audit, provided for the collec\n tion and analysis of suf\xef\xac\x81cient background data, provided for the identi\xef\xac\x81cation and\n testing of compliance with legal and regulatory requirements, and provided for an as\n sessment of internal controls. Implementation areas of review included whether the\n audit documentation adequately supported the universe, sampling plan, and sampling\n criteria; the auditors obtained evidence about the reliability of the data used from\n computer-based systems, if data were signi\xef\xac\x81cant to the audit \xef\xac\x81ndings; the auditors\n performed suf\xef\xac\x81cient tests to determine the adequacy of the auditee\xe2\x80\x99s internal control\n system; and the auditors adequately tested for violations and noncompliance with\n legal and regulatory requirements, if signi\xef\xac\x81cant to the audit objective.\n\n     DOS OIG concluded that the above and other areas were adequate for ensuring\n compliance with GAGAS. However, this review did disclose some areas in need of\n improvement; namely, approving, indexing, and updating the audit plan; complet\n ing the statement of non-con\xef\xac\x82ict of interest; completing the statement of purpose,\n source, scope, and conclusion (PSSC); and completing the required checklists and\n certi\xef\xac\x81cations. Compliance with the appropriate sections of GAGAS and the Policies\n and Procedures Manual will remedy these problems.\n\nReport on the External Quality Control Review of the FDIC\xe2\x80\x99s IG Audit Organization - November 2007   5\n\n\n                                      UNCLASSIFIED \n\x0c                                    UNCLASSIFIED \n\n\n\n     Audit Plan\n\n        This review found some problems with the audit plan. Areas in need of im\n     provement included approving, indexing, and updating the plan.\n\n         The Policies and Procedures Manual states that the audit plan should be ap\n     proved by the directors in OA and documented in the assignment working papers\n     before the start of \xef\xac\x81eldwork. The policy also requires that the audit steps be indexed\n     to the supporting assignment documentation and the program modi\xef\xac\x81ed if major\n     changes occur in the scope.\n\n         For three of the \xef\xac\x81ve audits sampled, the audit plan needed improvement in these\n     areas. For all three of these audits, the audit plan was approved after the \xef\xac\x81eldwork\n     start date, the program was not indexed to the supporting documentation inTeam-\n     Mate, and the audit steps were not signed off by the audit staff as completed.1\n     Additionally, there was an instance where the audit plan was not updated to include\n     additional work performed.\n\n     Statement of Non-Con\xef\xac\x82ict of Interest\n\n         FDIC requires all audit staff to certify each year that they understand GAGAS\n     requirements and FDIC policies and procedures regarding independence. However,\n     documentation on whether staff had any personal impairments to independence was\n     not always provided in the working papers by all staff assigned to audits, as required\n     by the Policies and Procedures Manual.\n\n         Per policy 320.2, the statement of non-con\xef\xac\x82ict of interest is to be completed by\n     the cognizant OA director, deputy assistant inspector general for audits (DAIGA),\n     AIGA, team members, and other staff having input into the assignment before the\n     start of work to indicate their independence regarding the speci\xef\xac\x81c assignment. The\n     chapter also directs that the statement signed by all team members be maintained in\n     the assignment documentation.\n\n          However, the statement of non-con\xef\xac\x82ict of interest was not signed by all au\n     dit team members for three of the \xef\xac\x81ve audits sampled. Moreover, the statements\n     for two of these three audits were signed by some of the team members after the\n     \xef\xac\x81eldwork began, despite the assignment of these individuals to the audits before the\n     commencement of this work.\n\n\n     1   TeamMate is a software package used for preparing and maintaining audit documentation.\n\n\n\n6   Report on the External Quality Control Review of the FDIC\xe2\x80\x99s IG Audit Organization - November 2007\n\n\n                                    UNCLASSIFIED \n\x0c                                      UNCLASSIFIED \n\n\n\n Statement of Purpose, Source, Scope, and Conclusion\n\n     This review identi\xef\xac\x81ed problems with inadequate or missing working paper docu\n mentation for the statement of PSSC, as required by the Policies and Procedures\n Manual. More speci\xef\xac\x81cally, a review of the \xef\xac\x81ve audits sampled disclosed that two of\n them had rates of inadequate or missing working paper documentation for PSSC of\n 96 percent and 19 percent, as shown in Table 1. Although the rates for this de\xef\xac\x81cien\n cy were nine percent or less for the other three audits, these important requirements\n of GAGAS and the Policies and Procedures Manual need to be consistently followed\n for all audits.\n         Table 1: Statement of Purpose, Source, Scope, and Conclusion\n                Number of          Number of        Percentage of Working\n                  Working        Working Papers     Papers With De\xef\xac\x81cient\n    Report         Papers        With De\xef\xac\x81cient          PSSC Elements\n    Number       Reviewed        PSSC Elements\n    06-015          113                108                   96%\n    06-016           22                 2                     9%\n    06-023          213                 0                      0\n    06-026          290                 6                     2%\n    07-007           43                 8                    19%\n                  Source: DOS OIG review of FDIC OIG documentation.\n\n\n     GAGAS 7.68 states, \xe2\x80\x9cAudit documentation should be appropriately detailed to\n provide a clear understanding of its purpose and source and the conclusions the\n auditors reached.\xe2\x80\x9d In addition, policy 320.6 requires that \xe2\x80\x9ceach document prepared\n must contain the following elements: objective/purpose/step, source, scope, meth\n odology/work performed, results/discussion, and conclusion of the work per\n formed to provide a clear understanding of the document\xe2\x80\x99s purpose and source and\n the conclusions reached, as well as evidence of supervisory review.\xe2\x80\x9d\n\n      Moreover, the issue of de\xef\xac\x81cient or missing PSSC elements on each document is\n apparently a recurring problem. An April 2007 FDIC OIG quality control review\n also identi\xef\xac\x81ed this issue and observed that \xe2\x80\x9cconfusion continues regarding whether\n every assignment document must contain the PSSC or whether assignment docu\n ments may be indexed to the PSSC of the Procedure Summary.\xe2\x80\x9d The confusion was\n attributed to Appendix B of the Policies and Procedures Manual, Policy 320.6, which\n states that \xe2\x80\x9cBasic assignment documentation should contain, where appropriate, the\n following elements . . ..\xe2\x80\x9d In its response to FDIC OIG\xe2\x80\x99s quality control review, OA\n replied that the policies and procedures would be revised to correct the inconsisten-\n\n\n\nReport on the External Quality Control Review of the FDIC\xe2\x80\x99s IG Audit Organization - November 2007   7\n\n\n                                      UNCLASSIFIED \n\x0c                                   UNCLASSIFIED\n\n\n\n\n     cy, and staff would be advised of the correct interpretation of the provisions. This\n     change is to be included in FDIC OIG\xe2\x80\x99s February 29, 2008, revision to its Policies\n     and Procedures Manual.\n\n     Required Checklists and Certi\xef\xac\x81cations\n\n          The documentation pertaining to the checklists and certi\xef\xac\x81cations required to be\n     completed for all \xef\xac\x81ve audits was de\xef\xac\x81cient. This review disclosed various problems\n     with these documents, such as completion of the form in an untimely manner or\n     failure to \xef\xac\x81ll out the form at all. More speci\xef\xac\x81cally, DOS OIG reviewed \xef\xac\x81ve differ\n     ent checklists and certi\xef\xac\x81cations, listed in Table 2, for the \xef\xac\x81ve audits in the sample\n     and found problems with these documents in nine instances out of 25 (36 percent).\n     Moreover, in four of these nine instances, the form was not completed at all. (The\n     16 instances without de\xef\xac\x81ciencies are designated in the table below by checkmarks.)\n\n\n     Table 2: Required Checklists and Certi\xef\xac\x81cations\n                                 Report         Report                     Report       Report          Report\n           Checklist or         Number         Number                      Number       Number          Number\n           Certi\xef\xac\x81cation          06-015         06-016                     06-023       06-026          07-007\n       Referencing Checklist         Not \xef\xac\x81lled out       Not \xef\xac\x81lled out        9             9            9 \n           Supervisory                Completed           Completed                     Not \xef\xac\x81lled\n           Assignment                32 days after       10 days after\n          Documentation               \xef\xac\x81nal report         \xef\xac\x81nal report         9           out\n                                                                                                         9 \n            Checklist                  issuance            issuance\n         Auditor-in-Charge            Completed\n                                                          Not indexed\n           Assignment                26 days after                                      Not \xef\xac\x81lled\n          Documentation               \xef\xac\x81nal report\n                                                            to audit          9           out            9 \n                                                         documentation\n            Checklist                  issuance\n           Independent\n        Referencing Quality               9                   9               9             9            9 \n        Review Certi\xef\xac\x81cation\n      The GAGAS and OIG\n      Policies and Procedures                             Director did\n            Certi\xef\xac\x81cation                  9                not sign           9             9            9 \n            Statements\n     Source: DOS OIG review of FDIC OIG documentation.\n\n\n         OA uses several checklists and certi\xef\xac\x81cations to assist in the review of audit as\n     signments and reports and to help ensure that applicable GAGAS standards are met.\n\n\n8   Report on the External Quality Control Review of the FDIC\xe2\x80\x99s IG Audit Organization - November 2007\n\n\n                                   UNCLASSIFIED \n\x0c                                      UNCLASSIFIED\n\n\n\n\n The \xef\xac\x81ve listed in Table 2 are among the more salient. For example, the Auditor-in-\n Charge Assignment Documentation Checklist, per the Policies and Procedures Man\n ual, is \xe2\x80\x9cdesigned to assist the Auditor-in-Charge in assignment planning, supervision,\n legal and regulatory requirements, management and information system controls,\n sampling, assignment documentation structure, and cross-indexing and referencing.\xe2\x80\x9d\n This checklist and the others are valuable tools, but their value is diminished when\n they are not completed in a timely manner or at all.\n\n    Recommendation 2: The FDIC Inspector General should require the assis\n    tant inspector general for audits to reiterate the necessity of preparing complete\n    and timely working papers in conformance with the Policies and Procedures\n    Manual. This reiteration should place special emphasis on required working pa\n    pers for the audit plan; the statement of non-con\xef\xac\x82ict of interest; the statement\n    of purpose, source, scope, and conclusion; and the required audit checklists and\n    certi\xef\xac\x81cations.\n\n\n     In its comments to the draft report, FDIC OIG said that it will reiterate to the\n OA staff the importance of maintaining high-quality audit documentation with em\n phasis on the speci\xef\xac\x81ed quality control elements. In addition, FDIC OIG anticipates\n consolidating a number of checklists and certi\xef\xac\x81cations. FDIC OIG anticipates the\n corrective action will be completed by February 29, 2008.\n\n\n\n SUPERVISION OF AUDIT STAFF\n      OA generally complied with GAGAS in ensuring that auditors and others receive\n appropriate guidance and effective supervision during the audit. GAGAS 7.44 states\n that \xe2\x80\x9cstaff are to be properly supervised.\xe2\x80\x9d According to GAGAS 7.45, \xe2\x80\x9csupervision\n involves directing the efforts of staff assigned to the audit to ensure that the audit\n objectives are accomplished.\xe2\x80\x9d Elements of supervision include providing suf\xef\xac\x81cient\n guidance to staff members, reviewing the work performed, and providing effective\n on-the-job training. Although there was evidence of these elements throughout the\n audit process for all projects reviewed, FDIC OIG needs to improve the timeliness\n of supervisory review of working papers, especially of coaching notes, to ensure that\n it achieves audit objectives, maintains audit quality, and fosters on-the-job training.\n\n\n\n\nReport on the External Quality Control Review of the FDIC\xe2\x80\x99s IG Audit Organization - November 2007   9\n\n\n                                      UNCLASSIFIED \n\x0c                                    UNCLASSIFIED \n\n\n\n      Supervisory Review of Audit Working Papers\n\n          OA needs to stress the importance of the timeliness of supervisory review of\n      audit working papers. A review of the \xef\xac\x81ve audits sampled disclosed that the work\n      ing papers for one of the audits was reviewed late 41 percent of the time. In all \xef\xac\x81ve\n      audits, improvements in the timeliness of supervisory review (de\xef\xac\x81ned by DOS OIG\n      as within 30 days) could be made, as shown in Table 3.\n                       Table 3: Supervisory Review of Audit Working Papers\n                         Number of          Number of         Percentage of\n                          Working        Working Papers      Working Papers\n          Report            Papers      Reviewed After 30 Reviewed After 30\n          Number          Reviewed            days                days\n          06-015               75              31                 41%\n          06-016              217              22                 10%\n          06-023               44               7                 16%\n          06-026              494              61                 12%\n          07-007              558              68                 12%\n                       Source: DOS OIG review of FDIC OIG documentation.\n\n\n          DOS OIG used 30 days as a threshold to determine untimely supervisory review\n      of audit working papers because FDIC OIG has not established a criterion. DOS\n      OIG uses this threshold for its own internal quality control reviews. Irrespective of\n      whether 30 days is the most appropriate measure, DOS OIG urges FDIC OIG to\n      establish some speci\xef\xac\x81c measurement in order to objectively determine the timeliness\n      of supervisory review of working papers.\n\n           In addition to aiding the ef\xef\xac\x81cient attainment of assignment objectives and gener\n      ally improving audit quality, timely review of working papers by supervisors is es\n      sential to providing meaningful on-the-job training \xe2\x80\x93 an element of supervision per\n      GAGAS. Untimely supervisory review of working papers can impact audit quality\n      and staff development.\n\n      Supervisory Follow-up of Coaching Notes\n\n          Supervisory follow-up of coaching notes also needs improvement.2 For three\n      of the \xef\xac\x81ve audits sampled, the rate of untimely follow-up (de\xef\xac\x81ned by DOS OIG as\n      exceeding 30 days) for supervisors to clear coaching notes after the staff provided\n      2 During the course of audit \xef\xac\x81eldwork, questions may be asked or review comments written.\n      TeamMate refers to such comments as coaching notes.\n\n\n\n10   Report on the External Quality Control Review of the FDIC\xe2\x80\x99s IG Audit Organization - November 2007\n\n\n                                    UNCLASSIFIED \n\x0c                                      UNCLASSIFIED\n\n\n\n\n responses was 19 percent or higher, as indicated in Table 4. Again, both audit quality\n and on-the-job training can suffer when supervision is untimely.\n\n      Additionally, untimely response by staff to coaching notes is a problem. For\n three of the \xef\xac\x81ve audits sampled, the percentage of notes responded to by staff after\n 30 days was 21 percent or higher, as shown in Table 4. Although GAGAS does\n not speci\xef\xac\x81cally address untimely responding by staff to coaching notes, DOS OIG\n believes that it is a cause for concern, especially in light of GAGAS 7.46. This sec\n tion states that \xe2\x80\x9csupervisors should satisfy themselves that staff members clearly\n understand what work they are to do, why the work is to be conducted, and what the\n work is expected to accomplish.\xe2\x80\x9d Timely supervisory follow-up on coaching notes\n is important because it can clear up issues at the early stage of an assignment before\n audit quality is adversely impacted.\n\n\n Table 4: Response and Clearing of Supervisory Coaching Notes to Staff\n                                                                       Number              Percentage\n                                                     Percentage       Cleared by             Notes\n                    Number                           Responded        Supervisors          Cleared by\n         Number Responded to                         to by Staff     After 30 Days         Supervisors\n  Report of Notes by Staff After                      After 30      From Response           After 30\n  Number Reviewed    30 Days                            Days            by Staff              Days\n   06-015           22               2                  9%                 5                   23%\n   06-016           15               5                  33%                  9                 60%\n   06-023           39               8                  21%                  0                      0\n   06-026           44               24                 55%                 22                 50%\n   07-007           68               9                  13%                  9                 13%\n Source: DOS OIG review of FDIC OIG documentation.\n\n\n    Recommendation 3: The FDIC Inspector General should require the assis\n    tant inspector general for audits to emphasize the importance of timeliness of\n    supervisory review of working papers, staff response to supervisory comments\n    on working papers, and the clearance of coaching notes. Consideration should\n    be given to establishing a speci\xef\xac\x81c measurement for working paper review and\n    for clearing coaching notes.\n\n\n     FDIC OIG concurred with the recommendation and said it will emphasize to\n OA staff the importance of timely supervisory and staff actions regarding work\n ing papers. In addition, the FDIC OIG\xe2\x80\x99s Inspector General has asked the assistant\n\n\nReport on the External Quality Control Review of the FDIC\xe2\x80\x99s IG Audit Organization - November 2007       11\n\n\n                                      UNCLASSIFIED \n\x0c                                    UNCLASSIFIED\n\n\n\n\n      inspector general for audits to recommend speci\xef\xac\x81c timeliness measures. FDIC OIG\n      anticipates the corrective action will be completed by February 29, 2008.\n\n\n\n      CONTINUING PROFESSIONAL EDUCATION DOCUMENTATION\n          DOS OIG found that OA generally did not maintain adequate documentation\n      supporting the Continuing Professional Education (CPE) hours completed by staff\n      subject to the CPE requirements, as required by GAGAS as well as OA\xe2\x80\x99s own inter\n      nal guidance.\n\n          GAGAS 3.45 requires auditors performing work under GAGAS to complete\n      every two years, at least 80 hours of CPE, with at least 20 of the 80 hours completed\n      in any one year of the two-year period. Moreover, Government Auditing Standards:\n      Guidance on GAGAS Requirements for Continuing Professional Education states that the\n      audit organization is responsible for maintaining documentation of the CPE hours\n      completed by each auditor subject to the CPE requirements. If the audit organiza\n      tion elects to delegate the responsibility to the auditor for maintaining the above\n      documentation, then the audit organization should have adequate procedures in\n      place to ensure that its records of CPE hours earned by auditors are supported by\n      the documentation maintained by auditors. Furthermore, all CPE records should be\n      maintained for an appropriate period of time to satisfy any legal and administrative\n      requirements, including peer review.\n\n          Policy 120.1 states that audit and audit-related staff are required to maintain\n      individual training records that document completion of CPE hours to the satisfac\n      tion of an external reviewer. Such evidence of completion includes grade reports,\n      completion certi\xef\xac\x81cates, course outlines, and agendas. Despite this policy, staff did\n      not adequately maintain individual training records. FDIC OIG\xe2\x80\x99s Training and Pro\n      fessional Development System database shows that each of the employees selected\n      in DOS OIG\xe2\x80\x99s sample amassed at least 80 CPE hours, per the GAGAS requirement.\n      However, the maintenance of individual training records by staff was inadequate. A\n      random sample from the universe of the 53 individuals subject to the CPE require\n      ment disclosed that eight of 11 (73 percent) did not have adequate documentation\n      to support all their CPE hours recorded in FDIC OIG\xe2\x80\x99s Training and Professional\n      Development System.\n\n          This problem was also identi\xef\xac\x81ed during a June 2006 FDIC OIG quality control\n      review. In response, FDIC OIG issued Of\xef\xac\x81ce of Audits Administrative Proce\n      dures #6, dated August 2006, on continuing professional education. In addition\n      to providing guidance to staff on implementing the CPE requirement, it instituted\n\n12   Report on the External Quality Control Review of the FDIC\xe2\x80\x99s IG Audit Organization - November 2007\n\n\n                                    UNCLASSIFIED \n\x0c                                      UNCLASSIFIED \n\n\n\n a new requirement effective January 1, 2007, that staff should meet the GAGAS\n CPE requirement by \xe2\x80\x9ctaking qualifying structured training for which participants are\n provided with a completion certi\xef\xac\x81cate, documentation of a passing grade, or other\n evidence of satisfactory completion.\xe2\x80\x9d Any CPE hours for which there is no evi\n dence of completion would not be counted as CPE hours for meeting the 80-hour\n requirement.\n\n\n    Recommendation 4: The FDIC Inspector General should require the assis\n    tant inspector general for audits to reiterate its existing policy to the audit staff\n    regarding maintaining adequate documentation on CPE hours completed.\n\n\n     FDIC OIG of\xef\xac\x81cials said that they will reiterate current policy for maintaining\n documentation of CPE hours completed. They will also consider alternatives for\n updating the current policy requirement for individual employees to maintain sup\n porting documentation. FDIC OIG anticipates the corrective action will be com\n pleted by February 29, 2008.\n\n\n\n CONTRACT MONITORING AND OVERSIGHT MANAGEMENT RECORD\n KEEPING\n      The OA\xe2\x80\x99s process for monitoring contract audits performed by independent pub\n lic accountants (IPA) generally complied with applicable GAGAS and OA policies\n and procedures. The OA oversight manager reviewed contractor independence; held\n periodic status meetings with the contractor; reviewed and cleared all issues regarding\n deliverables in a timely manner; reviewed contactor audit documentation to ensure\n that adequate testing and \xef\xac\x81ndings were supported by suf\xef\xac\x81cient, competent, and\n relevant evidence in compliance with GAGAS; reviewed the contractor report for\n compliance with GAGAS; and ensured that the report transmittal accurately re\xef\xac\x82ect\n ed the extent of FDIC OIG\xe2\x80\x99s assurance over the contractor\xe2\x80\x99s work. The OA over\n sight manager also reviewed and approved contractor billings. However, OA needs\n to store and maintain contract monitoring documentation as required by FDIC OIG\n policies and procedures.\n\n     Although a review of the IPA contract \xef\xac\x81le disclosed that OA was maintaining\n the contract monitoring documentation, it was not being stored in a single \xef\xac\x81le, nor\n was it being maintained in one location in OA, as required by FDIC OIG policies\n and procedures.\n\n\nReport on the External Quality Control Review of the FDIC\xe2\x80\x99s IG Audit Organization - November 2007   13\n\n\n                                      UNCLASSIFIED \n\x0c                                    UNCLASSIFIED \n\n\n\n          The Policies and Procedures Manual, policy 370.1, requires that \xe2\x80\x9cthroughout the\n      term of the contract, the Oversight Manager shall be responsible for maintaining\n      a complete record of the status and results of the oversight of the contract. The\n      Oversight Manager \xef\xac\x81le shall be organized and maintained in accordance with the\n      Oversight Manager File Checklist.\xe2\x80\x9d The intent of the policy was to ensure that the\n      contract monitoring documentation was maintained in a single \xef\xac\x81le or location for\n      business continuity purposes. Although oversight documentation was available, it\n      was not the practice of the oversight manager to maintain the records in a central \xef\xac\x81le\n      or location. Reemphasizing this responsibility to the oversight manager should help\n      to ensure continuity of contractor oversight duties in the event of a disruption to\n      normal operations.\n\n\n         Recommendation 5: The FDIC Inspector General should require the assis\n         tant inspector general for audits to reemphasize to the oversight manager the\n         importance of maintaining contract monitoring documentation in a single \xef\xac\x81le\n         or location.\n\n\n          FDIC OIG concurred with the recommendation and said it will reemphasize to\n      the contract oversight manager the importance of maintaining oversight \xef\xac\x81les in a\n      single \xef\xac\x81le or location to help ensure the continuity of oversight duties in the event of\n      a disruption to normal operations. FDIC OIG anticipates the corrective action will\n      be completed by February 29, 2008.\n\n\n\n\n14   Report on the External Quality Control Review of the FDIC\xe2\x80\x99s IG Audit Organization - November 2007\n\n\n                                    UNCLASSIFIED \n\x0c                                      UNCLASSIFIED\n\n\n\n\n                               RECOMMENDATIONS\n\n\n\n\n Recommendation 1: The FDIC Inspector General should require the assistant in\n   spector general for audits to ensure that the Policies and Procedures Manual con\n   tains adequate guidance on (a) reporting and resolving personal impairments, (b)\n   identifying the disciplinary mechanism and actions that could be taken if personal\n   impairments are not reported, and (c) reporting and resolving external impair\n   ments.\n\n Recommendation 2: The FDIC Inspector General should require the assistant\n   inspector general for audits to reiterate the necessity of preparing complete and\n   timely working papers in conformance with the Policies and Procedures Manual.\n   This reiteration should place special emphasis on required working papers for the\n   audit plan; the statement of non-con\xef\xac\x82ict of interest; the statement of purpose,\n   source, scope, and conclusion; and the required audit checklists and certi\xef\xac\x81cations.\n\n Recommendation 3: The FDIC Inspector General should require the assistant\n   inspector general for audits to emphasize the importance of timeliness of su\n   pervisory review of working papers, staff response to supervisory comments on\n   working papers, and the clearance of coaching notes. Consideration should be\n   given to establishing a speci\xef\xac\x81c measurement for working paper review and for\n   clearing coaching notes.\n\n Recommendation 4: The FDIC Inspector General should require the assistant\n   inspector general for audits to reiterate its existing policy to the audit staff regard\n   ing maintaining adequate documentation on CPE hours completed.\n\n Recommendation 5: The FDIC Inspector General should require the assistant\n   inspector general for audits to reemphasize to the oversight manager the impor\n   tance of maintaining contract monitoring documentation in a single \xef\xac\x81le or loca\n   tion.\n\n\n\n\nReport on the External Quality Control Review of the FDIC\xe2\x80\x99s IG Audit Organization - November 2007   15\n\n\n                                      UNCLASSIFIED \n\x0c                                    UNCLASSIFIED\n\n\n\n\n\n16   Report on the External Quality Control Review of the FDIC\xe2\x80\x99s IG Audit Organization - November 2007\n\n\n                                    UNCLASSIFIED \n\x0c                                      UNCLASSIFIED\n\n\n\n\n\n             APPENDIX A - BACKGROUND, SCOPE, AND \n\n                        METHODOLOGY\n\n\n\n\n\n BACKGROUND\n\n     The FDIC OIG is an independent unit that conducts audits, evaluations, inves\n tigations, and other reviews of FDIC\xe2\x80\x99s programs and operations. Congress estab\n lished FDIC to supervise banks, insure deposits, and help maintain a stable and\n sound banking system. The FDIC OIG\xe2\x80\x99s OA is organized into two primary director\n ates: (1) Insurance, Supervision, and Receivership Management Audits and (2) Sys\n tems Management and Security Audits, each of which report directly to the AIGA.\n\n\n Scope and Methodology\n\n     DOS OIG tested compliance with the FDIC OIG\xe2\x80\x99s system of quality control,\n primarily by reviewing six randomly selected audit reports of the 24 issued during\n the September 30, 2006, and March 31, 2007, semiannual reporting periods. These\n tests included a review of \xef\xac\x81ve performance audit reports conducted and issued by\n FDIC OIG. Also reviewed were the monitoring activities for an audit performed\n under contract by an IPA. In addition, DOS OIG reviewed recent internal quality\n control reviews performed by FDIC OIG.\n\n     DOS OIG conducted its review at the FDIC OIG\xe2\x80\x99s of\xef\xac\x81ces in Arlington, VA,\n from February through June 2007 in accordance with the President\xe2\x80\x99s Council on In\n tegrity and Ef\xef\xac\x81ciency and the Executive Council on Integrity and Ef\xef\xac\x81ciency, Guide for\n Conducting External Quality Control Reviews of the Audit Operations of the Inspector General,\n dated April 2005.\n\n\n\n\nReport on the External Quality Control Review of the FDIC\xe2\x80\x99s IG Audit Organization - November 2007   17\n\n\n                                      UNCLASSIFIED \n\x0c                                        UNCLASSIFIED \n\n\n\n\n          Audit Reports Reviewed\n          Report \n\n          Number\n Report Date                      Report Title\n          06-015   July 20, 2006                   FDIC\xe2\x80\x99s Oversight of Technology Service\n                                                   Providers\n          06-016      August 10, 2006              Controls Over the Disposal of Sensitive FDIC\n                                                   Information by Iron Mountain, Inc.\n          06-020 a    September 25, 2006 The FDIC\xe2\x80\x99s Efforts to Comply with OMB\n                                         Memorandum M-06-16, Protection of Sensitive\n                                         Agency Information\n          06-023      September 28, 2006 Examiner Use of Home Mortgage Disclosure Act\n                                         Data to Identify Potential Discrimination\n          06-026      September 29, 2006 FDIC\xe2\x80\x99s Contract Administration\n\n          07-007      March 30, 2007               Examination Assessment of the Reliability of\n                                                   Appraisals and Suf\xef\xac\x81ciency of Insurance Coverage\n                                                   for Real Estate Lending\n      a\n          Audit performed by IPA.\n      Source: OA reports issued during the Sept. 30, 2006-Mar. 31, 2007, reporting period.\n\n\n\n\n18   Report on the External Quality Control Review of the FDIC\xe2\x80\x99s IG Audit Organization - November 2007\n\n\n                                        UNCLASSIFIED \n\x0c                                      UNCLASSIFIED\n\n\n\n\n                  APPENDIX B - GENERAL COMMENTS\n\n\n\n\n     DOS OIG observed numerous positive audit practices in the FDIC OIG\xe2\x80\x99s audit\n organization. Most importantly, the audit staff showed a high level of professional\n ism and expertise. During discussions, the audit staff displayed a thorough knowl\n edge of the audits reviewed and the audit organization\xe2\x80\x99s policies and procedures.\n\n     DOS OIG also found noteworthy practices and controls instituted to help en\n sure audits were performed in accordance with professional standards. The internal\n quality control review reports DOS OIG reviewed were insightful and contained\n indepth coverage of the organizational element assessed.\n\n\n\n\nReport on the External Quality Control Review of the FDIC\xe2\x80\x99s IG Audit Organization - November 2007   19\n\n\n                                      UNCLASSIFIED \n\x0c                                    UNCLASSIFIED\n\n\n\n\n\n20   Report on the External Quality Control Review of the FDIC\xe2\x80\x99s IG Audit Organization - November 2007\n\n\n                                    UNCLASSIFIED \n\x0c\x0c                                    UNCLASSIFIED \n\n\n\n                                                                                    Appendix C\n\n\n\n\n22   Report on the External Quality Control Review of the FDIC\xe2\x80\x99s IG Audit Organization - November 2007\n\n\n                                    UNCLASSIFIED \n\x0c                                      UNCLASSIFIED \n\n\n\n                                                                               Appendix C\n\n\n\n\nReport on the External Quality Control Review of the FDIC\xe2\x80\x99s IG Audit Organization - November 2007   23\n\n\n                                      UNCLASSIFIED \n\x0c                                    UNCLASSIFIED \n\n\n\n                                                                                    Appendix C\n\n\n\n\n24   Report on the External Quality Control Review of the FDIC\xe2\x80\x99s IG Audit Organization - November 2007\n\n\n                                    UNCLASSIFIED \n\x0cUNCLASSIFIED\n\n\n\n\n\n UNCLASSIFIED\n\n\x0c'